The visibilities of the distributed cache files and archives are currently determined by the permission of these files or archives.
The following is the logic of method isPublic() in class ClientDistributedCacheManager:
At NodeManager side, it will use "yarn" user to download public files and use the user who submits the job to download private files. In normal cases, there is no problem with this. However, if the files are located in an encryption zone(
HDFS-6134) and yarn user are configured to be disallowed to fetch the DataEncryptionKey(DEK) of this encryption zone by KMS, the download process of this file will fail.
You can reproduce this issue with the following steps (assume you submit job with user "testUser"):
- create a clean cluster which has HDFS cryptographic FileSystem feature
- create directory "/data/" in HDFS and make it as an encryption zone with keyName "testKey"
- configure KMS to only allow user "testUser" can decrypt DEK of key "testKey" in KMS
- execute job "teragen" with user "testUser":
- execute job "terasort" with user "testUser":
You will see logs like this at the job submitter's console:
The initial idea to solve this issue is to modify the logic in ClientDistributedCacheManager.isPublic to consider also whether this file is in an encryption zone. If it is in an encryption zone, this file should be considered as private. Then at NodeManager side, it will use user who submits the job to fetch the file.